OOB auth flow is scheduled for deprecation

[PBhadoo]

Just learned about this: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html?m=1#disallowed-oo

Can you fix this. Doesn't require much work if do this.

https://bdi-generator.hashhackers.com

I have used JS to get code from parameters and fill up in site automatically.

[anadius]

I can, but it won't be that nice.

• I can't use rclone's credentials with a redirect to my site - I can't add my site to allowed ones.
• I won't make my own app because I can't be arsed to get it verified - and unverified apps can be used by only 100 people.
• And you can't make your own app and add my site to allowed ones because Google requires you to verify ownership of it.

So the only solution is a redirection to 127.0.0.1:someport. And since I don't want to create any application that the user has to run on their PC, and since you can't create a server in JavaScript in your browser, people will get redirected to a page that doesn't load. Then they will have to copy the URL of it and paste it into a box. I have it ready but I'm not pushing it yet - because I know people will ask "what do I do, the page doesn't load" despite clear instructions telling them that this will happen.

[PBhadoo]

Verification is not a big deal, i can get it verified for you. I can just make new Gmail and get it verified and send details of Gmail account to you.

Why? The reason you said, people won't read and ask stupid questions. I had to push this so they won't ask. I've a pretty good trick to get app verified from Google.

[anadius]

Good for you but my answer is still "no".

1. Right now I use rclone's credentials by default. While obfuscated in rclone's source code - they are publicly known. If I use my own app - my credentials would be known too, and I don't want that.
2. You can make it work with client ID alone - using Google API Client Library for JavaScript - but then you lose the ability to quickly switch between accounts, since you can be authorised with one account only.
3. Other people host the decryption page on their websites. And my app would work with redirection to my website only. I'd either have to create different auth flows or require other people to create their own apps and get them verified. And I won't do that.